crisc-d2-risk-assessment-vulnerability-and-control-deficiency-analysis

Vulnerability and Control Deficiency Analysis

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Vulnerability and Control Deficiency Analysis

Vulnerability and Control Deficiency Analysis is the systematic process of identifying, categorizing, and evaluating weaknesses in IT systems, processes, and controls — then determining the gaps between how controls currently operate and how they must operate to reduce risk to an acceptable level. A vulnerability is a condition exploitable by a threat (e.g., an unpatched library, a misconfigured firewall). A control deficiency is the root cause explanation for why that vulnerability exists or persists: the control was never designed (absence), was poorly designed (design deficiency), or exists on paper but fails in practice (operating deficiency). The analysis output is a prioritized, business-impact-mapped deficiency register that drives remediation decisions.

Where it stops · what it isn't

—IS: Systematic identification and evaluation of weaknesses in systems, processes, and controls, categorized by deficiency type (design, operating, absence) with root cause analysis
—IS: The methodology that transforms raw vulnerability scanner output into prioritized, business-impact-mapped control deficiency findings
—IS: Assessment of whether existing controls are adequate in design and effective in operation to mitigate identified risks
—IS NOT: Threat modeling or risk scenario development — those activities assume vulnerabilities exist and use them to construct risk scenarios; this cubelet covers how vulnerabilities are found and classified
—IS NOT: Risk quantification or risk rating — those are covered in Risk Analysis Methodologies; this cubelet produces the deficiency findings that quantification techniques consume
—IS NOT: Penetration testing as an end in itself — penetration testing is one data-gathering technique within vulnerability analysis, not the full methodology
—IS NOT: Remediation planning or control implementation — analysis identifies and prioritizes deficiencies; remediation is a downstream activity in the risk response lifecycle

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT Risk Assessment Domain (CRISC Domain 2)

REQUIRES

Risk Scenario Development (crisc-d2-risk-scenario-development)IT Controls Fundamentals (preventive, detective, corrective control taxonomy)

ENABLES

Risk Analysis Methodologies (crisc-d2-risk-analysis-methodologies)Risk Register Maintenance (crisc-d2-risk-register)Business Impact Analysis (crisc-d2-business-impact-analysis)

RELATED TO

Risk Events Threat Modeling (crisc-d2-threat-modeling)Inherent / Residual / Current Risk Assessment (crisc-d2-inherent-residual-current-risk)

CONSTRAINS

Control Design and Implementation (CRISC Domain 3)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.